Forum Discussion
LDAP Query for Attribute
- Feb 05, 2019
I ultimately got this working by creating an LDAP Query action, I used the following as a SearchFilter:
(SamAccountName=%{session.logon.last.username})
I set DistinguishedName as a required attribute so that I was able to use it later. These are case sensitive when you try to use them in Variable Assigns, so make sure to check the session variables after a login attempt if things aren't working.
The format of my LDAP users DN is CN=Bob\, Smith... or CN=Bob... so I had to cover both cases. The F5 adds an extra slash to the session variable to make it a literal slash in TCL (my guess). I had to create a variable assign to remove that extra slash so when it's sent to the LDAP server it understands it.
This was the expression field of my variable assign:
set dn "[mcget {session.ldap.last.attr.dn}]" if {[string first "\\" $dn] != -1} { return [string map {\\\\ \\} $dn] } else { return $dn }
Finally I created an LDAP auth action with the following in the UserDN. SearchDN and SearchFilter are empty.
I had to open a case with F5 to figure out how to not send hex to my LDAP server. They key is the :noconv function.
%{dn:noconv}
After this authentication worked!!
I ultimately got this working by creating an LDAP Query action, I used the following as a SearchFilter:
(SamAccountName=%{session.logon.last.username})
I set DistinguishedName as a required attribute so that I was able to use it later. These are case sensitive when you try to use them in Variable Assigns, so make sure to check the session variables after a login attempt if things aren't working.
The format of my LDAP users DN is CN=Bob\, Smith... or CN=Bob... so I had to cover both cases. The F5 adds an extra slash to the session variable to make it a literal slash in TCL (my guess). I had to create a variable assign to remove that extra slash so when it's sent to the LDAP server it understands it.
This was the expression field of my variable assign:
set dn "[mcget {session.ldap.last.attr.dn}]"
if {[string first "\\" $dn] != -1} {
return [string map {\\\\ \\} $dn]
} else {
return $dn
}
Finally I created an LDAP auth action with the following in the UserDN. SearchDN and SearchFilter are empty.
I had to open a case with F5 to figure out how to not send hex to my LDAP server. They key is the :noconv function.
%{dn:noconv}
After this authentication worked!!
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com